Hello We had a user on our forum who despite having previous warnings continued to post offensive comments to other members, eventually, after applying temporary restrictions we were left with no other choice than to ban a user. In the months since, they have reregistered under different names / emails / IP addresses, but they break cover and we ban them again... and again... Earlier this year the user wrote to us asking about GDPR and asked for their account to be deleted, which we did, we also replied explaining there were no records of them held now their account had been deleted. We have now received the below email from the same user again, and hate to say I am unsure of how to reply to them I have contacted all our mod team and they all say they have not made any contact with the user - our hunch is he is calling our bluff Would it be possible to have any advice / guidance on what we can reply please? .................................... Hi Everyone, A moderator has now explicitly stated to me that the forum uses “fingerprinting” / device identification to recognise users. On that basis, I am making a formal Subject Access Request under the UK GDPR, and I’m also asking you to confirm your position under PECR in relation to cookies and similar technologies UK GDPR — Subject Access Request (Article 15) Please provide a copy of all personal data you hold about me, including (but not limited to): A) Fingerprinting / device recognition Any device/browser fingerprint data held about me (even if stored or described internally as “device identifiers”, “security signals”, “risk scoring”, “probabilistic identifiers”, etc.) The specific attributes collected/derived (e.g., device/browser characteristics, configuration data, behavioural signals) and how they are combined/used Any unique identifiers generated from this data and how long they persist Whether this data is linked to my account directly, and if so how B) Logs and other identifiers IP address history and timestamps (login/activity logs) User-agent strings and device/OS/browser details captured Cookie IDs, session IDs, and any local storage or similar identifiers associated with my account/sessions C) Moderation / security / anti-abuse data Any moderation notes, flags, decisions, ban history (if applicable), anti-spam / anti-abuse outcomes, and any “risk scores” or classifications applied to my account/device D) Third parties and sharing The recipients or categories of recipients this data is shared with (including Invision/IPS services, spam defence providers, analytics providers, or any other third parties), and what data fields are shared with each E) Purposes, lawful basis, retention The purposes for processing each category of data The lawful basis relied upon for each purpose Retention periods (or clear criteria used to determine them) for fingerprinting/device data, IP logs, and related identifiers Please supply the above in a commonly used electronic format. If you need further information to verify my identity, please specify exactly what you require. UK GDPR requires you to respond without undue delay and in any event within one month of receipt of this request. PECR / transparency — cookies and “similar technologies” Given the moderator’s statement that fingerprinting is used, please confirm the following: A) Where is this fingerprinting disclosed to users (privacy notice and/or cookie/tech notice), in clear terms? B) Is fingerprinting used only for strictly necessary security/anti-abuse purposes, or also for analytics/measurement/other purposes? C) What consent mechanism is relied upon where fingerprinting (or any non-essential tracking) is not strictly necessary? D) Do any analytics or third-party scripts/cookies load before a user has made a consent choice? Please confirm your implementation. This follow-up is not a general complaint — it’s a request for specific information and copies of the personal data you hold about me, prompted by the moderator’s confirmation that fingerprinting is being used. Regards